Table of Contents
Advertisement
Quick Links
Advertisement
Table of Contents
Related Manuals for Pilz PCOM sec br2
Summary of Contents for Pilz PCOM sec br2
- Page 1 PCOM sec br2 Operating Manual-1004534-EN-04...
- Page 2 Preface This document is a translation of the original document. All rights to this documentation are reserved by Pilz GmbH & Co. KG. Copies may be made for internal purposes. Suggestions and comments for improving this documentation will be gratefully received.
-
Page 3: Table Of Contents
Connection..........................Network interfaces ........................Configuration ......................... User interface ........................... Establish connection to SecurityBridge ..................Managing users ........................8.3.1 Permissions ..........................8.3.2 User groups ..........................8.3.3 Create user ..........................8.3.4 Manage user via RADIUS server....................Operating Manual PCOM sec br2 1004534-EN-04... - Page 4 Release of remote access with a key switch ................12.3 PSS 4000 with an external control and OPC server..............Technical details ........................Network data .......................... Security-relevant log messages ................... Order reference ........................16.1 Product ............................. 16.2 Accessories ..........................Operating Manual PCOM sec br2 1004534-EN-04...
-
Page 5: Introduction
Introduction Introduction Validity of documentation This documentation is valid for the product PCOM sec br2. It is valid until new documenta- tion is published. This operating manual explains the function and operation, describes the installation and provides guidelines on how to connect the product. -
Page 6: Third-Party Manufacturer Licence Information
The request for the source code must be received 3 years at the latest after the receipt of the relevant GPL or LPGL. Irrespective of this period we will send you a complete, ma- chine-readable copy of the source code as long as Pilz offers spares or technical support for this device. -
Page 7: Safety
The SecurityBridge PCOM sec br2 may only be connected to a head module from the PSS 4000 system or to a base unit of the configurable system PNOZmulti (please refer to the document "PNOZmulti System Expansion"... -
Page 8: Warranty And Liability
Damage can be attributed to not having followed the guidelines in the manual, Operating personnel are not suitably qualified, Any type of modification has been made (e.g. exchanging components on the PCB boards, soldering work etc.). Operating Manual PCOM sec br2 1004534-EN-04... -
Page 9: Security
SecurityBridge Fig.: DefenseInDepth The product PCOM sec br2 secures the devices in the protected network from network- based attacks and/or unauthorised access via the network. The product is the last layer in the Defense in depth concept. To efficiently implement the concept, the measures de-... -
Page 10: Operating Environment
Protect the computer from unauthorised use by assigning passwords, and taking further measures, if required. We also recommend that the logged in user does not have administrator rights. Operating Manual PCOM sec br2 | 10 1004534-EN-04... -
Page 11: Commissioning
The computers used to monitor the system must be secured to the general best practice rules for security. As soon as possible, install firmware updates that Pilz provides for the device. Make sure you regularly check the event log of the product for security-relevant entries. A... -
Page 12: Decommissioning
Make sure that the SecurityBridge is safely decommissioned before disposing of the device (see chapter Take SecurityBridge safely out of operation [ 41]). Where possible, perform these steps also when servicing and sending the device to Pilz. Operating Manual PCOM sec br2 | 12 1004534-EN-04... -
Page 13: Overview
Overview Overview Unit features Application of the product PCOM sec br2: SecurityBridge for safe authentication and communication with a PSS 4000 or a PNOZmulti system. The product has the following features: Configurable via a web-based user interface VPN server to build a VPN tunnel for safe transfer of data... -
Page 14: Front View
I0: Input O0: Output 24 V (A1), 0 V (A2) Module Supply USB interface for USB memory to save and restore the configuration LEDs PWR, DIAG, Bypass, User, Setup, I0, O0 Firmware XXXX Operating Manual PCOM sec br2 | 14 1004534-EN-04... -
Page 15: Function Description
VPN tunnel. In normal circumstances, the VPN client is within the company net- work. Configuration changes to a project can only be performed by users who have a relevant permission. Operating Manual PCOM sec br2 | 15 1004534-EN-04... -
Page 16: Block Diagram
PCs (configuration PC). This enables tap-proof, manip- ulation-proof data transfer between the client PC and SecurityBridge. Only the VPN client from Pilz is supported. Up to 5 client connections can exist simultaneously. A VPN tunnel can only be built by authenticated, authorised users. -
Page 17: Input And Output
Setup mode is signalled via the digital output. If there is a 1-signal at the output, then setup mode is activated. If there is a 0-signal at the output, then setup mode is not ac- tivated. Operating Manual PCOM sec br2 | 17 1004534-EN-04... -
Page 18: Usb Memory
CAUTION! When using the USB backup, make sure that the SecurityBridge and USB memory are protected against unauthorised access (by placing the Secur- ityBridge in a locked control cabinet, for example). Operating Manual PCOM sec br2 | 18 1004534-EN-04... -
Page 19: Installation
Damage due to electrostatic discharge! Electrostatic discharge can damage components. Ensure against discharge before touching the product, e.g. by touching an earthed, conductive sur- face or by wearing an earthed armband. Dimensions 94 (3.70") (1.77") Operating Manual PCOM sec br2 | 19 1004534-EN-04... -
Page 20: Wiring
– Polarity protection – No voltage stabilisation Connection Supply to the module X4 Supply to the SC outputs X3 + 24 V DC Input X3 24 V DC Output X4 24 V DC Operating Manual PCOM sec br2 | 20 1004534-EN-04... -
Page 21: Network Interfaces
– When Autonegotiation is used, Autonegotiation must also be activated at the remote station. With deactivated autonegotiation: – Communication speed: 10 Mbits/s or 100 Mbits/s – Duplex: Half duplex or full duplex Operating Manual PCOM sec br2 | 21 1004534-EN-04... -
Page 22: Configuration
1. Establish Ethernet connection a Connect the configuration PC directly to the Ethernet interface X1 of the Security- Bridge PCOM sec br2. Alternatively you can use a switch to which only the config- uration PC and the SecurityBridge are connected. - Page 23 9]). 6. Change network settings To access the SecurityBridge PCOM sec br2 from the company network, change the network settings of the SecurityBridge. The settings are adapted in the Web interface under System → Settings → Network (see also Online Help).
-
Page 24: Managing Users
AccessGroup-1 User is allowed to access the Generic Device be- longing to one of these three groups if he is assigned AccessGroup-2 to a user group with the same permission. AccessGroup-3 Operating Manual PCOM sec br2 | 24 1004534-EN-04... -
Page 25: User Groups
A secure Server Shared Secret must be entered to configure the RADIUS server. The same Server Shared Secret must be configured on the RADIUS server. Use a separate Server Shared Secret for each SecurityBridge that is configured via the RADIUS server. Operating Manual PCOM sec br2 | 25 1004534-EN-04... - Page 26 Vendor type (1 Byte) 0 = Group name contained in the transmit- ted data 1 = Permissions contained in the transmit- ted data as comma-separated values Vendor length (1 Byte) 2 + data length Operating Manual PCOM sec br2 | 26 1004534-EN-04...
-
Page 27: Create Device
If you set unknown IP addresses or port numbers, multiple devices from an unprotected network will be able to access the PSS 4000 device in the protected network. Create precisely one rule for one connection, which has been configured for a PSS 4000 device. Operating Manual PCOM sec br2 | 27 1004534-EN-04... -
Page 28: Access Rules For Generic Devices
The SecurityBridge uses X.509 certificates to secure communication between the VPN cli- ent and the SecurityBridge, plus the user interface. By default the system uses a self signed CA certificate to sign the server certificate. The certificates are automatically generated by the SecurityBridge. Operating Manual PCOM sec br2 | 28 1004534-EN-04... - Page 29 The Select Certificate Store window is opened. 5. Select Trusted Root Certification Authorities and click OK… 6. Click Next. 7. Click Complete. A safety warning may appear. Confirm that you wish to install the certi- ficate. Operating Manual PCOM sec br2 | 29 1004534-EN-04...
- Page 30 CA certificate for the server certificate. The VPN client cannot download the correct CA certificate until the appropriate CA certificate has been up- loaded. Possible formats: Effects: When a CA certificate is uploaded, any existing private key will be deleted. Operating Manual PCOM sec br2 | 30 1004534-EN-04...
-
Page 31: Manage Logging
SecurityBridge is restarted. If the active configuration is to be saved on the SecurityBridge and is to be available again on restart, it must be applied as the start configuration. Operating Manual PCOM sec br2 | 31 1004534-EN-04... -
Page 32: Check Sum Monitoring
A message is generated when the check sum is changed in the connected device. The overall check sum for the project is used for PNOZmulti devices. The check sum for the FS project is used for PSS 4000 devices. Operating Manual PCOM sec br2 | 32 1004534-EN-04... -
Page 33: Access To The System In The Protected Network
To create a connection to SecurityBridge for the first time, a new client connection has to be created. Proceed as follows: 1. Start the VPN client by clicking All programs > Pilz > SecurityBridge VPN Client. 2. Double-click on the symbol of the VPN client in the task bar to open the VPN client. -
Page 34: Log In To Client
During authentication, the user name is always searched first in the local user management on the SecurityBridge's user interface. If the user name cannot be found in the internal user management and a RADIUS server is configured, a request is sent to the RADIUS server. Operating Manual PCOM sec br2 | 34 1004534-EN-04... - Page 35 RADIUS server Found? configured? Check Setup mode User permitted? Successful? Check passwords Successful? Check user group Assigned? Call up group permissions Authentication Authentication successful failed Fig.: Authentication via the internal user management Operating Manual PCOM sec br2 | 35 1004534-EN-04...
- Page 36 RADIUS server Request to the secondary RADIUS Response? server Response? User permitted? Check group or permissions from the response Value OK? Authentication Authentication failed successful Fig.: Authentication via the RADIUS server Operating Manual PCOM sec br2 | 36 1004534-EN-04...
-
Page 37: Firmware Update
The firmware can only be updated by users with Administration permission. The update packet is digitally signed to prevent manipulation. An update packet can be downloaded to the device from the download area on the Pilz website (file extension .fw) or via the software tool PASupdate. PASupdate will let you know when a new update is available. -
Page 38: Operation
Bypass mode is activated User You can configure the function and colour of the user LED. Colour State Meaning - - - No function configured Green or red Function depends on the configuration Operating Manual PCOM sec br2 | 38 1004534-EN-04... -
Page 39: Recovery
Incorrect configuration of the IP address All the data must be deleted, when the SecurityBridge is to be decommissioned for ex- ample (see operating instructions, Section Take SecurityBridge safely out of operation [ 41]). Operating Manual PCOM sec br2 | 39 1004534-EN-04... -
Page 40: Error Mode
If the system detects an internal error, it will switch to error mode. Settings for how the system should behave in error mode can be made on the user inter- face: Availability All data is forwarded Security No more data is forwarded Operating Manual PCOM sec br2 | 40 1004534-EN-04... -
Page 41: Take Securitybridge Safely Out Of Operation
If you used an USB memory, remove the USB memory from the SecurityBridge and format it on the configuration PC. Do not carry out a quick formatting. Alternatively, you can use a program to safely delete data or destroy the memory mechanically. Operating Manual PCOM sec br2 | 41 1004534-EN-04... -
Page 42: Application Examples
The fieldbus module is in the protected network. SecurityBridge Fieldbus module Base unit + input/output module Protected network PNOZmulti Configurator Control system protected connection unprotected connection Operating Manual PCOM sec br2 | 42 1004534-EN-04... -
Page 43: Release Of Remote Access With A Key Switch
SecurityBridge [ 22]. The release of the connection is made by a "1" signal at the input I0. If there is o release, all the connection attempts via the VPN client are prevented. Operating Manual PCOM sec br2 | 43 1004534-EN-04... -
Page 44: Pss 4000 With An External Control And Opc Server
Access to the system in the protected network [ PSS 4000 SecurityBridge PSS 4000 Control system VPN tunnel PAS4000 OPC Server protected connection unprotected connection Fig.: Application example PSS 4000 with external control Operating Manual PCOM sec br2 | 44 1004534-EN-04... -
Page 45: Technical Details
60068-2-30, EN 60068-2-78 Ambient temperature In accordance with the standard EN 60068-2-14 Temperature range 0 - 60 °C Storage temperature In accordance with the standard EN 60068-2-1/-2 Temperature range -25 - 70 °C Operating Manual PCOM sec br2 | 45 1004534-EN-04... - Page 46 0,25 - 2,5 mm², 24 - 12 AWG 2 core with the same cross section, flexible without crimp connectors or with TWIN crimp connectors 0,2 - 1,5 mm², 24 - 16 AWG Operating Manual PCOM sec br2 | 46 1004534-EN-04...
- Page 47 Spring-loaded terminals: Terminal points per connec- tion Stripping length with spring-loaded terminals 9 mm Dimensions Height 96 mm Width 45 mm Depth 111,5 mm Where standards are undated, the 2017-06 latest editions shall apply. Operating Manual PCOM sec br2 | 47 1004534-EN-04...
-
Page 48: Network Data
Def: Inactive RADIUS client RADIUS 0 … 65535 Protected by Server Def.: 1812 Def: Inactive Shared Secret Switching Loop propriet- In/out Layer2 0x88b5 Frames are received detection only via device port X2 Operating Manual PCOM sec br2 | 48 1004534-EN-04... -
Page 49: Security-Relevant Log Messages
The IP address {{ip}} is locked because too many login attempts have failed. 1108 Access to web service denied for IP address {{ip}}. 1109 User "{{username}}", IP address {{ip}}: The IP address is blocked. Too many attempts to change the password. Operating Manual PCOM sec br2 | 49 1004534-EN-04... -
Page 50: Order Reference
Module for secure authentication and communication with 311 502 PNOZmulti 2 and PSS 4000 16.2 Accessories Connection terminals Product type Features Order no. Set4 Spring Terminals 1 set of spring-loaded terminals 751016 Set4 Screw Terminals 1 set of screw terminals 750016 Operating Manual PCOM sec br2 | 50 1004534-EN-04... - Page 51 We are represented internationally. Please refer to our homepage www.pilz.com for further details or contact our headquarters. Headquarters: Pilz GmbH & Co. KG, Felix-Wankel-Straße 2, 73760 Ostfildern, Germany Telephone: +49 711 3409-0, Telefax: +49 711 3409-133, E-Mail: info@pilz.com, Internet: www.pilz.com...